MikroTik Chateau Pro AX has options for bridge filtering, which I assume, are either similar to Netfilter EBTables or is based on Netfilter EBTables. In GUI I can restrict protocols to TCP/UDP (via NAT Firewall), enable/disable ARP (via bridge and port settings/options), enable/disable LLDP (and similar) frames, filter VLAN tagged frames, but that is not enough. I want to disable any possibility of magic frames, Wake-on-LAN frames, etc. There are many of them (https://en.wikipedia.org/wiki/EtherType). I want my router to filter all frames, except the required ones:
1. IPv4 (0x0800)
2. ARP (0x0806), preferably restrict to only ARP Request and ARP Reply
3. WiFi Authentication (0x888E)

I can do that with EBTables, but does MikroTik allow for some other way to do it? I also want this kind of filtering to apply itself automatically on boot or shortly after OS is booted.

What is wrong with using "bridge filter", which probably indeed will map to ebtables, for that?

Bridge Filter doesn't specify what is filters. For example, your NAT firewall filter can be set to allow exclusively TCP and UDP traffic, but LLDP (data link layer) frames are not going to be filtered, even when bridge filtering is enabled. LLDP and similar frames are controlled by "Discovery" settings, but RouterOS doesn't have settings for every single EtherType. I don't think any router does, which is why I think it requires a custom script.

It's unknown how MikroTik filters bridges anyway. For example, it is possible to BROUTE with EBTables. That forces data to skip Netfilter bridge tables entirely and send information to upper layer (IPTables), but IPTables can't filter any link layer frames (aside from ARP). This is why I ask.

It would also be great if there was some layer 2 filtering (aside from ARP) for WAN port, but EBTables is LAN-only and doesn't filter WAN.

The command line parser accepts this:
Enter that line fragment followed by TAB key to see what else you can add.